The European Union Medical Device Regulation (EU MDR) was crafted in April 2017 and took effect twenty days later. However, it was only implemented on May 26, 2021. This important regulation has a perplexing timeline, but it is a factor that device manufacturers, healthcare providers, and consumers should get acquainted with.
MDR continues to be a popular buzzword in the world of cybersecurity in light of the attacks on IoT and embedded devices. A 2023 survey shows that 97 percent of organizations admit that they struggle to protect their IoT devices while around 89 percent of them reported that they have been the target of cyber attacks that resulted in significant damage.
Collectively, the IoT devices used in medicine are called IoMT or the Internet of Medical Devices. They are gaining popularity with a market value expected to reach $167 billion by 2028, growing at a CAGR of 29.5 percent (2021-2028 forecast period). It makes perfect sense to be conscious about securing these devices in line with applicable regulations, particularly the MDR.
Updated medical device regulation
The MDR medical device regulation is not the first attempt of the European Union to regulate medical devices. It already had the Medical Device Directive (MDD) and the Active Implantable Medical Device Directive (AIMDD) several years ago. However, the MDR was introduced in response to the explosion of scandals involving defective products. It also set new rules for classifying medical devices and put in place stricter requirements regarding clinical evaluation and post-market surveillance.
The MDR medical device regulation was updated to reflect the evolution of the technologies integrated into medical devices. Proponents of the regulation seek to make it a dynamic and adaptable way to control the devices made available to the public and address the new risks and challenges affecting new devices.
In particular, the MDR expands the definition of medical devices, enhances transparency and traceability, and improves post-market surveillance requirements. It also requires device manufacturers to have at least one person to take charge of making sure that their products comply with all applicable regulations.
Cybersecurity implications
The updated MDR regards cybersecurity as a new area of emphasis. It sets new requirements to facilitate cyber protection and prevent threat actors from exploiting vulnerabilities in connected medical devices. With many healthcare providers still familiarizing themselves with advanced web-enabled medical devices that cyber threat actors are targeting, it is good to have a cybersecurity-oriented MDR. The MDR stresses the importance of making sure that devices are designed, developed, and used securely.
MDR text that came into force in 2017 only has four paragraphs for cybersecurity requirements. However, these paragraphs are supplemented by an annex document (known as Annex I), which addresses several concerns. The document expands on the data protection requirements in MDR’s Article 62.4. It also sets guidelines on conformity assessment and post-market surveillance. Additionally, it provides more details about Periodic Safety Update Reports (PSUR), trend reporting, and technical documentation.
Moreover, the European Commission issued MDCG 2019-16, which provides more guidance on ensuring the cybersecurity of medical devices. This document has 47 pages of cybersecurity requirements focusing on devices with medical or healthcare applications.
Bolstering healthcare cybersecurity
Medical devices are just one of the many cybersecurity concerns in the healthcare industry, but they are significant and expansive. The MDR’s definition of medical device is not limited to the facilities in a hospital or the wearables and implants patients use. It includes all apparatuses, gadgets, instruments, reagents, implants, as well as software developed for medical and healthcare purposes such as diagnostics, prognosis, treatment, patient monitoring, disease prevention, and the alleviation of diseases of health conditions.
This definition by the MDR covers an overwhelming majority of the technologies employed in the healthcare setting. Also, the definition does not only refer to devices and software used in healthcare as standalone solutions. It includes those that serve as complements, supplements, or accessories to other products. Software used to track a person’s location, for example, is ordinarily not regarded as a medical device, but based on the MDR definition, it can be considered as one if it is used as part of a system employed in healthcare. Hence, it may be subjected to MDR requirements.
Integrating MDR with healthcare cybersecurity has the effect of adopting the following useful concepts and actions:
- Secure by design – MDR requires device makers to make sure that their products are secure from the get-go and not rely on security patching to address problems as they are discovered in the course of using a device. Also, MDR asks for the specification of security mechanisms, which makes clearly laid out security policies a must, not optional.
- Effective compulsory security management – Under MDR, device makers need to have an organized, well-planned, and properly documented security regime that covers a device’s entire lifecycle. It also calls for the effective implementation of plans and security verification and validation. The post-market surveillance requirement, in particular, directs device makers to make sure that they are on top of security issues even when the devices are already in the possession of consumers. Device makers are also expected to put in place a coordinated troubleshooting framework to address defects and other issues. Additionally, MDR requires an efficient way of implementing security updates like pushing firmware updates or security patches as quickly as possible in response to newly discovered vulnerabilities.
- Collaboration – Cybersecurity is a shared responsibility, and MDR demonstrates this by normalizing cooperation among device makers, regulators, healthcare providers, and consumers. MDR facilitates the rapid reporting or sharing of information about defects and cyber-attacks on devices to make sure that they are addressed promptly.
The MDR and cybersecurity connection
MDR may be more known as a regulation aimed at ensuring the safety and effectiveness of medical devices, but it has a cyber security component. Complying with it is a significant step towards ensuring the cybersecurity of medical devices. Its regulations are mainly for device makers, but it also has requirements involving healthcare providers and patients or healthcare product users/consumers. As such, it is an important factor in healthcare cybersecurity.